Hi,
I just learned about (and watched) a presentation[1] that is about backdooring the Thinkpad ECs.
This information might help with the task of writing a free software EC firmware[2].
The information is also very useful to get a better ideas of the threats due to having a non-free EC firmware. I for instance missed the EC ThinkLight issue, when thinking about the security of i945 Lenovo laptops: -> The EC code is non-free -> There is a long wire that goes from the EC to the ThinkLight (That's a potential antenna, according to the talk the Thinkpad EC microcontrollers speed is around 10Mhz so it seems doable) -> Since The i945 Thinkpads are often bought second hand, a broken EC light isn't suspicious if you don't know about this issue.
The talk contains a link to an EC firmware dumper[3]. Unfortunately after cloning the it, the git repository contained no code at all. Maybe Ralf-Philipp could comment on that?
In the QA, it is also said that it's possible to talk directly to the EC hardware to dump the fimrware (and not the EC firmware), from the computer. The IO addresses he's mentioning look like EC addresses.
I then wonder if it's also possible to flash it in the same way. In that case the fimrware should better be able to power on the computer, else some sort of external flashing/recovery would be needed (as it is for coreboot).
The talk also contained a link to the original firmware "commented assembly". I've no idea if it's safe to look at it, but it's better not to do it until we know for sure that's it's legally safe. The SFLC (Software Freedom Law Center) might help with that. The people who looks at it might be prevented from writing legal free software firmware for such EC if they do, so beware.
The talk also mention that the H8(The Thinkpad EC) have good documentation.
References: ----------- [1] 27c3-4174-en-the_hidden_nemesis.webm [2] http://blogs.coreboot.org/blog/tag/h8s/ [3] http://coderpunks.org/ecdumper
Denis.